Authentication as a licensing mechanism
All software developers want to eat and it is very disappointing when the program, on which a lot of time and effort has been spent, is available for anyone to use without any legal contributions in favor of the author. The developer, not having received his hard-earned money, begins to worry, sleep poorly, or even completely ceases to create his products. To protect software from unauthorized use of steel almost at the same time when they began selling software products. Different mechanisms were used at different times - serial numbers, linking to CDs and computer parameters, using electronic keys. All these mechanisms are covered in sufficient detail on the Internet. And how to protect the interests of developers SaaS solutions information less. I will try to talk about one of the mechanisms of "licensing" online software, which surfaced somehow unexpectedly for myself.
For a start it is worth listing what we are talking about. Conventionally, the problem can be divided into two parts:
• Illegal copying of software;
• Illegal use of software.
')
You can forget about illegal copying, sort of like, if you distribute your software as a service. Yes, of course, unlike software distribution in the usual way, the program itself does not fall into theuser's intruder’s hands and cannot be simply copied. However, you should not relax, since getting administrative access to your system, the software can still be copied. You should not also forget that part of the SaaS solutions are written in scripting languages, which facilitates the attacker to further modify and assign the results of the developer’s work. To protect this area from attack, you should use strong authentication for administrative accounts, audit the access to the system and carefully choose the sites for hosting your service. Everything is pretty trite.
Protection against illegal use is also, at first glance, easier. Unlike the local location, the user does not have access to the executable software file, and as a result cannot modify its code or otherwise disable its protection. That is, it is easier for us to ensure the integrity of our software and its protection mechanisms. Assuming that the program code does not contain errors, it can be concluded that protecting SaaS from illegal use is reduced to providing a user authentication mechanism. It should be noted that my assumption about the absence of errors, unfortunately, is only an assumption. Even in such critical systems as RBS systems there are a lot of software errors .
Now the most common protection mechanism is a banal login and password, issued to the user to access the system. What threats does it carry? If the user does not store any of his data in the system, he will not care about the safety of his password. In addition to the fact that the password can be intercepted or stolen, the user himself can transfer it to his friends, workmates, or publish it on the Internet. This suggests a direct analogy with the serial number used to protect desktop software. The business model is most vulnerable when, for example, you sell access to a database for a period of time and the payment does not depend on the number of documents viewed. In this case, under one login in the system can sit a whole team of "like-minded people". One of the methods of protection can be a mechanism for limiting sessions created under one login. The mechanism is quite effective, but not completely solving the problem.
Recently, I had to cooperate with several companies that decided to limit access to their services by a more rigorous method. To ensure reliable "licensing", tokens with non-recoverable keys were used, which are essentially analogous to software protection software keys. The Rutoken Web device produced by Aktiv allows building an authentication scheme in such a way that it will not be possible to use the service without physical possession of the key. That is one key - one user. This approach allows us to solve the problem of prohibiting the use of the service by many people under one license. This is how strong authentication acquired for me an additional software licensing feature.
In more detail about the mechanism of authentication Ruken Web I wrote here .
For a start it is worth listing what we are talking about. Conventionally, the problem can be divided into two parts:
• Illegal copying of software;
• Illegal use of software.
')
You can forget about illegal copying, sort of like, if you distribute your software as a service. Yes, of course, unlike software distribution in the usual way, the program itself does not fall into the
Protection against illegal use is also, at first glance, easier. Unlike the local location, the user does not have access to the executable software file, and as a result cannot modify its code or otherwise disable its protection. That is, it is easier for us to ensure the integrity of our software and its protection mechanisms. Assuming that the program code does not contain errors, it can be concluded that protecting SaaS from illegal use is reduced to providing a user authentication mechanism. It should be noted that my assumption about the absence of errors, unfortunately, is only an assumption. Even in such critical systems as RBS systems there are a lot of software errors .
Now the most common protection mechanism is a banal login and password, issued to the user to access the system. What threats does it carry? If the user does not store any of his data in the system, he will not care about the safety of his password. In addition to the fact that the password can be intercepted or stolen, the user himself can transfer it to his friends, workmates, or publish it on the Internet. This suggests a direct analogy with the serial number used to protect desktop software. The business model is most vulnerable when, for example, you sell access to a database for a period of time and the payment does not depend on the number of documents viewed. In this case, under one login in the system can sit a whole team of "like-minded people". One of the methods of protection can be a mechanism for limiting sessions created under one login. The mechanism is quite effective, but not completely solving the problem.
Recently, I had to cooperate with several companies that decided to limit access to their services by a more rigorous method. To ensure reliable "licensing", tokens with non-recoverable keys were used, which are essentially analogous to software protection software keys. The Rutoken Web device produced by Aktiv allows building an authentication scheme in such a way that it will not be possible to use the service without physical possession of the key. That is one key - one user. This approach allows us to solve the problem of prohibiting the use of the service by many people under one license. This is how strong authentication acquired for me an additional software licensing feature.
In more detail about the mechanism of authentication Ruken Web I wrote here .
Source: https://habr.com/ru/post/141478/
All Articles